SlideShare ist ein Scribd-Unternehmen logo

HKG15-407: Linaro Clear Key

Linaro
Linaro

HKG15-407: EME implementation in Chromium: Linaro Clear Key --------------------------------------------------- Speaker: Matt Snoby Date: February 12, 2015 --------------------------------------------------- ★ Session Summary ★ An example of a key system from a Clear Key point of view. Linaro implemented a sample CDM plugin for Chromium capable to exercise the EME implementation of the browser. The presentation gives an insight to the EME/CDM implementation in Chromium and the guidelines to integrating various DRM systems. We will present call flows with example classes, experiences learned, and example of things to watch out for. -------------------------------------------------- ★ Resources ★ Pathable: https://hkg15.pathable.com/meetings/250835 Video: https://www.youtube.com/watch?v=dJqCbTfKrMk Etherpad: http://pad.linaro.org/p/hkg15-407 Also see presentation: http://www.slideshare.net/linaroorg/hkg15407-eme-implementation-in-chromium-linaro-clear-key-44732418 --------------------------------------------------- ★ Event Details ★ Linaro Connect Hong Kong 2015 - #HKG15 February 9-13th, 2015 Regal Airport Hotel Hong Kong Airport --------------------------------------------------- http://www.linaro.org http://connect.linaro.org

Software
1 von 13
Downloaden Sie, um offline zu lesen
Linaro Clear Key Implemented by: Matt Snoby Jan 2015 Revision 0.4
Introduction CDM APIs. License / Key Exchange Provisioning What is a promise and how does it work? The Clear Key Implementation. Linaro Clear Key CDM Class Class Relationships OpenCDM Current state of the implementation Integrating 3rd Party DRM’s.
Introduction The goal of the Linaro external clear key implementations was for knowledge aggregation and a launch pad for future security offerings. Such things as decrypted buffer protection with ARM TrustZone® and integration with an external media engine (gstreamer) are examples where Linaro can help showcase current STB technology. This implementation will be open sourced for other developers to use as a reference.
CDM APIs. The implementation of the Chromium API of the Content Decryption Module (CDM) doesn’t look like what the EME picture looks like on the W3C webpage:
Specifically we do not see calls to Generate Request, License Request, etc in the API’s to the Chromium CDM implementation. The actual calls are methods such as: CreateSession, LoadSession, UpdateSession, CloseSession, RemoveSession. The picture really is a description from the point of view of the flow of information from the Javascript EME design, not the API calls of the CDM. This diagram ( with some details left out for brevity ) shows how the clear key conceptually works from the application to the decoded frame.
“​A Key Session, or simply Session, provides a context for message exchange with the CDM as a result of which key(s) are made available to the CDM.​” 1 Besides these CDM method calls that must be implemented, to decrypt content a decryptor object must be created. This object handles calls to add a key to the session and also extract keys from a JWK set, which is the format the license and keys are delivered in. ​ The actual functionality of 2 decryption can be / should be ported to hardware acceleration. To be clear it is not necessary to implement a decryptor object as defined by chromium. As long as the CDM implementation properly handles the messaging events and promise callbacks the CDM can internally handle the decryption as it sees fit. License / Key Exchange As the first paragraph of the EME spec says: “The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation). License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.” Once the Browser instantiates a CDM session (createSession), the CDM will fire a message to request to acquire a key from the license server. This does not go directly to the license server, this message is sent to the MediaKeySession in the browser then the application sends the message to the license server. Once the response from the server is obtained the response is sent to the CDM with the update message. The big difference between the existing embedded DRM systems of today and what the W3C is promoting is that all authentication and authorization functionality is now handled in the application, also ​no out of band​communications or in other words direct communication can happen between the CDM (DRM system) and the licensing or other server ( ie secure gateway). This mentality is very different from the monolithic solutions that are currently promoted in the embedded DRM ecosystems. Systems such as Intertrust(R), PlayReady(R), Verimatrix and VideoGuard are examples that must be adapted to work with the EME specification. That’s not to say that these systems will not work with the EME specification, just that changes will have to be made to bring some logic out of the embedded key system and placed into the HTML5 / JavaScript application. 1 http://www.w3.org/TR/2014/WD-encrypted-media-20140828/#definitions 2 http://www.w3.org/TR/encrypted-media/#clear-key-license-format
Provisioning In current embedded DRM applications, provisioning of the hardware device is done in an out of band manner via calls between the DRM system and a secure server. For the EME spec this is not allowed. “​The common API supports a simple set of content encryption capabilities, leaving application functions  such as authentication and authorization to page authors. This is achieved by requiring content  protection system­specific messaging to be mediated by the page rather than assuming out­of­band  communication between the encryption system and a license or other server.”3 Basically for privacy reasons the EME spec does not want any distinctive identifiers to be passed to the JavaScript application. ​ However, distinctive identifiers that are encrypted can be sent to the CDM. 4 The data path must be through session messages. ​ Once the CDM decrypts this distinctive identifier 5 the unencrypted distinctive identifier must never be shared outside of the CDM. Also for increased security the application must use secure transport (e.g. HTTPS) for ​all​traffic containing messages from the CDM (e.g. all data passed from message events and update method calls). One final note, the distinctive identifier (or pairing data if you like) will be allowed to be reset by the user just like a cookie can be reset / deleted. 6 What is a promise and how does it work? Coming from an embedded background and jumping into the chromium source code had many nuances that I had never seen before, one of them was the concept of a promise. In its simplest form a promise represents the eventual result of an asynchronous operation. This is for scripting languages that need to know when an asynchronous operation has completed and what was the result of that operation. In the CDM implementation when a new session is created several function callbacks are registered with the promise_id. They are triggered automatically by the chromium cdmadapter code. Basically the implementer must register some function pointers for when certain operations have completed. For specific examples please see the chromium external clear key source code or the Linaro external key source code. 3 ​https://w3c.github.io/encrypted-media/ 4 https://w3c.github.io/encrypted-media/#definitions 5 https://w3c.github.io/encrypted-media/#encrypt-identifiers 6 https://w3c.github.io/encrypted-media/#allow-identifiers-to-be-cleared
The Clear Key Implementation. The call flows to decrypt data from the existing Linaro Clear Key implementation is shown in the sequence diagram below. The clear key implementation is a VERY simple implementation, it doesn’t support features such as persistent state sessions nor Server Certificates. Future enhancement to this design are to send the encrypted packets to a hardware decryptor and to send those decrypted packets via protected hardware to the hardware video decoder.
Linaro Clear Key CDM Class The Linaro Clear Key CDM is very much self contained in one source directory and implemented in an extended media class. Below you will find a UML diagram detailing the implementation that corresponds to the sequence diagram previously referenced.
Class Relationships
OpenCDM Fraunhofer FOKUS has created an open source implementation of a CDM interface, it has been tested against Microsoft PlayReady(R). The Fraunhofer FOKUS interface has added support for the media engine to authenticate itself to the DRM platform. That being said on an embedded system if the file system is readonly and the platform image is authenticated at boot, I wonder how necessary this feature is? The architecture notes for the OCDM (Open Content Decryption Module) : https://github.com/fraunhoferfokus/open-content-decryption-module/blob/master/docs/architecture_n otes_ocdm.md Specifically the OCDM has 3 abstraction layers: ● Browser Glue ( implementation exists for Opera and Chromium) ● Core ● Communication A more in-depth examination of running OCDM in chromium should be done. I would also note that having support for OCDM does not exclude support for the native chromium CDM at the same time. Multiple CDM’s can be available to the browser at once.
Current state of the implementation The Linaro Clear Key implementation has the same basic layout as the chromium external clear key implementation, however at this time there are no software decryptors and no video decoders implemented. It would be very easy to implement these features in software, however since the STB hardware is our target platform we need to implement platform software to target hardware acceleration. That being said the call flows are the same (just no decrypted video comes out the display). The next steps for the Linaro CDM should be the following: ● Move away from the DecryptandDecode implementation. This is how the initial work has been developed, the packets are decrypted and the decrypted frames are passed to the browser for rendering (via ffmpeg). ● Move away from the simple clear key implementation and use a simple DRM system that will have a license server so that keys can be fetched and the call flow is as close to real world as possible. ● Have the decrypted packets played back with gstreamer or some other media playback mechanism. ● Showcase the ability of the ARM TrustZone(R) to protect decrypted video buffers in a secure playback pipeline.
Integrating 3rd Party DRM’s. Integrating a third party DRM system such as VideoGuard or Verimatrix into an EME based solution is very much possible. Such has already been accomplished with solutions like Widevine and Playready. Some general steps that will be required for implementation include, but are not limited to: 1. A session based glue layer implemented on top of the DRM. 2. As previously described all communications to and from the secure server must happen through the user agent ( web browser javascript app) in a secure https manner. No out of band communication is allowed. 3. A java script / html5 app must be written to do the authorization authentication and personalization of the connection. It must also proxy all communications to and from the CDM implementation. 4. All persistent sessions shall have to implement the CDM persistent memory API’s. These are just some of the changes that must be implemented to port an existing DRM system to a CDM / EME implementation.

Empfohlen

SFO15-BFO2: Reducing the arm linux kernel size without losing your mind
SFO15-BFO2: Reducing the arm linux kernel size without losing your mindSFO15-BFO2: Reducing the arm linux kernel size without losing your mind
SFO15-BFO2: Reducing the arm linux kernel size without losing your mindLinaro
 
LCU14 LNG demo posters_published2014sep18
LCU14 LNG demo posters_published2014sep18LCU14 LNG demo posters_published2014sep18
LCU14 LNG demo posters_published2014sep18Linaro
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
BUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceBUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceLinaro
 
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 Linaro
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELinaro
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 

Empfohlen

SFO15-BFO2: Reducing the arm linux kernel size without losing your mind
SFO15-BFO2: Reducing the arm linux kernel size without losing your mindSFO15-BFO2: Reducing the arm linux kernel size without losing your mind
SFO15-BFO2: Reducing the arm linux kernel size without losing your mindLinaro
 
LCU14 LNG demo posters_published2014sep18
LCU14 LNG demo posters_published2014sep18LCU14 LNG demo posters_published2014sep18
LCU14 LNG demo posters_published2014sep18Linaro
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
BUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceBUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceLinaro
 
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 Linaro
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELinaro
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloDeep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaArm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraHuawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraLinaro
 
Bud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaBud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteHKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteLinaro
 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allHKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMUHKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMULinaro
 
HKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8MHKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8MLinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootLinaro
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Weitere ähnliche Inhalte

Mehr von Linaro

Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloDeep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloLinaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaArm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaLinaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraHuawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraLinaro
 
Bud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaBud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaLinaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteHKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteLinaro
 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopLinaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineLinaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allHKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allLinaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorLinaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMUHKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMULinaro
 
HKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8MHKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8MLinaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootLinaro
 

Mehr von Linaro (20)

Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea GalloDeep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta VekariaArm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua MoraHuawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
 
Bud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qaBud17 113: distribution ci using qemu and open qa
Bud17 113: distribution ci using qemu and open qa
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
 
HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018HPC network stack on ARM - Linaro HPC Workshop 2018
HPC network stack on ARM - Linaro HPC Workshop 2018
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
 
HKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening KeynoteHKG18-100K1 - George Grey: Opening Keynote
HKG18-100K1 - George Grey: Opening Keynote
 
HKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP WorkshopHKG18-318 - OpenAMP Workshop
HKG18-318 - OpenAMP Workshop
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainlineHKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and allHKG18-315 - Why the ecosystem is a wonderful thing, warts and all
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
 
HKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMUHKG18-TR08 - Upstreaming SVE in QEMU
HKG18-TR08 - Upstreaming SVE in QEMU
 
HKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8MHKG18-113- Secure Data Path work with i.MX8M
HKG18-113- Secure Data Path work with i.MX8M
 
HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation HKG18-120 - Devicetree Schema Documentation and Validation
HKG18-120 - Devicetree Schema Documentation and Validation
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
 

Kürzlich hochgeladen

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Kürzlich hochgeladen (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

HKG15-407: Linaro Clear Key

  • 1. Linaro Clear Key Implemented by: Matt Snoby Jan 2015 Revision 0.4
  • 2. Introduction CDM APIs. License / Key Exchange Provisioning What is a promise and how does it work? The Clear Key Implementation. Linaro Clear Key CDM Class Class Relationships OpenCDM Current state of the implementation Integrating 3rd Party DRM’s.
  • 3. Introduction The goal of the Linaro external clear key implementations was for knowledge aggregation and a launch pad for future security offerings. Such things as decrypted buffer protection with ARM TrustZone® and integration with an external media engine (gstreamer) are examples where Linaro can help showcase current STB technology. This implementation will be open sourced for other developers to use as a reference.
  • 4. CDM APIs. The implementation of the Chromium API of the Content Decryption Module (CDM) doesn’t look like what the EME picture looks like on the W3C webpage:
  • 5. Specifically we do not see calls to Generate Request, License Request, etc in the API’s to the Chromium CDM implementation. The actual calls are methods such as: CreateSession, LoadSession, UpdateSession, CloseSession, RemoveSession. The picture really is a description from the point of view of the flow of information from the Javascript EME design, not the API calls of the CDM. This diagram ( with some details left out for brevity ) shows how the clear key conceptually works from the application to the decoded frame.
  • 6. “​A Key Session, or simply Session, provides a context for message exchange with the CDM as a result of which key(s) are made available to the CDM.​” 1 Besides these CDM method calls that must be implemented, to decrypt content a decryptor object must be created. This object handles calls to add a key to the session and also extract keys from a JWK set, which is the format the license and keys are delivered in. ​ The actual functionality of 2 decryption can be / should be ported to hardware acceleration. To be clear it is not necessary to implement a decryptor object as defined by chromium. As long as the CDM implementation properly handles the messaging events and promise callbacks the CDM can internally handle the decryption as it sees fit. License / Key Exchange As the first paragraph of the EME spec says: “The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation). License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.” Once the Browser instantiates a CDM session (createSession), the CDM will fire a message to request to acquire a key from the license server. This does not go directly to the license server, this message is sent to the MediaKeySession in the browser then the application sends the message to the license server. Once the response from the server is obtained the response is sent to the CDM with the update message. The big difference between the existing embedded DRM systems of today and what the W3C is promoting is that all authentication and authorization functionality is now handled in the application, also ​no out of band​communications or in other words direct communication can happen between the CDM (DRM system) and the licensing or other server ( ie secure gateway). This mentality is very different from the monolithic solutions that are currently promoted in the embedded DRM ecosystems. Systems such as Intertrust(R), PlayReady(R), Verimatrix and VideoGuard are examples that must be adapted to work with the EME specification. That’s not to say that these systems will not work with the EME specification, just that changes will have to be made to bring some logic out of the embedded key system and placed into the HTML5 / JavaScript application. 1 http://www.w3.org/TR/2014/WD-encrypted-media-20140828/#definitions 2 http://www.w3.org/TR/encrypted-media/#clear-key-license-format
  • 7. Provisioning In current embedded DRM applications, provisioning of the hardware device is done in an out of band manner via calls between the DRM system and a secure server. For the EME spec this is not allowed. “​The common API supports a simple set of content encryption capabilities, leaving application functions  such as authentication and authorization to page authors. This is achieved by requiring content  protection system­specific messaging to be mediated by the page rather than assuming out­of­band  communication between the encryption system and a license or other server.”3 Basically for privacy reasons the EME spec does not want any distinctive identifiers to be passed to the JavaScript application. ​ However, distinctive identifiers that are encrypted can be sent to the CDM. 4 The data path must be through session messages. ​ Once the CDM decrypts this distinctive identifier 5 the unencrypted distinctive identifier must never be shared outside of the CDM. Also for increased security the application must use secure transport (e.g. HTTPS) for ​all​traffic containing messages from the CDM (e.g. all data passed from message events and update method calls). One final note, the distinctive identifier (or pairing data if you like) will be allowed to be reset by the user just like a cookie can be reset / deleted. 6 What is a promise and how does it work? Coming from an embedded background and jumping into the chromium source code had many nuances that I had never seen before, one of them was the concept of a promise. In its simplest form a promise represents the eventual result of an asynchronous operation. This is for scripting languages that need to know when an asynchronous operation has completed and what was the result of that operation. In the CDM implementation when a new session is created several function callbacks are registered with the promise_id. They are triggered automatically by the chromium cdmadapter code. Basically the implementer must register some function pointers for when certain operations have completed. For specific examples please see the chromium external clear key source code or the Linaro external key source code. 3 ​https://w3c.github.io/encrypted-media/ 4 https://w3c.github.io/encrypted-media/#definitions 5 https://w3c.github.io/encrypted-media/#encrypt-identifiers 6 https://w3c.github.io/encrypted-media/#allow-identifiers-to-be-cleared
  • 8. The Clear Key Implementation. The call flows to decrypt data from the existing Linaro Clear Key implementation is shown in the sequence diagram below. The clear key implementation is a VERY simple implementation, it doesn’t support features such as persistent state sessions nor Server Certificates. Future enhancement to this design are to send the encrypted packets to a hardware decryptor and to send those decrypted packets via protected hardware to the hardware video decoder.
  • 9. Linaro Clear Key CDM Class The Linaro Clear Key CDM is very much self contained in one source directory and implemented in an extended media class. Below you will find a UML diagram detailing the implementation that corresponds to the sequence diagram previously referenced.
  • 11. OpenCDM Fraunhofer FOKUS has created an open source implementation of a CDM interface, it has been tested against Microsoft PlayReady(R). The Fraunhofer FOKUS interface has added support for the media engine to authenticate itself to the DRM platform. That being said on an embedded system if the file system is readonly and the platform image is authenticated at boot, I wonder how necessary this feature is? The architecture notes for the OCDM (Open Content Decryption Module) : https://github.com/fraunhoferfokus/open-content-decryption-module/blob/master/docs/architecture_n otes_ocdm.md Specifically the OCDM has 3 abstraction layers: ● Browser Glue ( implementation exists for Opera and Chromium) ● Core ● Communication A more in-depth examination of running OCDM in chromium should be done. I would also note that having support for OCDM does not exclude support for the native chromium CDM at the same time. Multiple CDM’s can be available to the browser at once.
  • 12. Current state of the implementation The Linaro Clear Key implementation has the same basic layout as the chromium external clear key implementation, however at this time there are no software decryptors and no video decoders implemented. It would be very easy to implement these features in software, however since the STB hardware is our target platform we need to implement platform software to target hardware acceleration. That being said the call flows are the same (just no decrypted video comes out the display). The next steps for the Linaro CDM should be the following: ● Move away from the DecryptandDecode implementation. This is how the initial work has been developed, the packets are decrypted and the decrypted frames are passed to the browser for rendering (via ffmpeg). ● Move away from the simple clear key implementation and use a simple DRM system that will have a license server so that keys can be fetched and the call flow is as close to real world as possible. ● Have the decrypted packets played back with gstreamer or some other media playback mechanism. ● Showcase the ability of the ARM TrustZone(R) to protect decrypted video buffers in a secure playback pipeline.
  • 13. Integrating 3rd Party DRM’s. Integrating a third party DRM system such as VideoGuard or Verimatrix into an EME based solution is very much possible. Such has already been accomplished with solutions like Widevine and Playready. Some general steps that will be required for implementation include, but are not limited to: 1. A session based glue layer implemented on top of the DRM. 2. As previously described all communications to and from the secure server must happen through the user agent ( web browser javascript app) in a secure https manner. No out of band communication is allowed. 3. A java script / html5 app must be written to do the authorization authentication and personalization of the connection. It must also proxy all communications to and from the CDM implementation. 4. All persistent sessions shall have to implement the CDM persistent memory API’s. These are just some of the changes that must be implemented to port an existing DRM system to a CDM / EME implementation.